The weakness of ICS maintenance operations

What would you say is your biggest concern when it comes to cyber threats to your ICS system?

When I asked several cyber-officers in big utilities, they told me that their biggest concern was the interaction between people and the ICS network.

This is how it usually goes:

John, the network operator, defines a task, compliant to NERC CIP v5 guidelines. The maintenance engineer will be Mike, and the task is set for Monday, somewhere between 8:00AM and 2:00PM. The main objectives are to update the upper and lower allowed values on fault detection IED #5, and to upgrade the software on RTU #1.

John calls Mike and explains the task to him. He adds some cautionary information regarding RTU #2 and RTU #3, which Mike is not allowed to change. Mike takes note of the instructions and the warnings.

At 8:00AM on Monday, Mike enters the substation. He swipes his employee access card at the card reader, and enters his personal password. He then connects to the substation network using a dedicated maintenance PC and begins the operation.

At 8:30 the transformer disconnects from the HV grid. The substation goes down. The consequential financial damages are huge.

This is not a story of fiction. This is a scenario we have heard several times from utility managers.

At this point, an investigation is initiated. Sometimes, it is Mike who had inadvertently ignored the utility’s policies; other times it is John who had failed to test the updates for safety and reliability prior to deployment. Other times yet it is malware that had entered the network through the maintenance PC. One thing is clear: this is a common scenario, and it shouldn’t be.

The OT Challenge: Controlling Maintenance Operations

There are many types of interactions between ICS engineers and OT (operational technology) networks. Some are performed locally and some remotely. Some were scheduled long in advance, some ad-hoc.

As of today, Maintenance Operations (M.O.) in utilities have yet to rise to the challenges posed by cyber-threats during maintenance. At best there’s control over when to open the OT network for maintenance, but no more than that. In most cases there is no measure in place for monitoring and logging the traffic produced during maintenance operations.

The Solution: Radiflow’s “Task-Based User Permission”

At Radiflow we believe that operators should have more control over such interactions with ICS systems.

Based on the guidelines delineated in NERC CIPv5, each task needs to be explicitly defined by the operator, listing the exact user, devices and operations (read, write, update etc) involved.

At the beginning of the maintenance operation, the gateway should identify the user using a two-factor authentication scheme, matching the technician’s user name and password with some sort of physical identification (e.g. biometric identification or facial recognition).

After authentication, the gateway starts enforcing the pre-configured policies for maintenance operations. To do this, the Radiflow secure gateway employs a dynamic industrial firewall configuration. The dynamic rules are automatically loaded based on the task definition. This is what we call “task-based user permissions.”

During all maintenance operations, the secure gateway constantly monitors all activities and alerts on any violation, and is even able to prevent the most critical violations. The user in the substation should be able to request more permissions if needed. At the end of the maintenance task, the operation manager receives a full report with all session details: traffic files, duration, configuration changes and more.

Radiflow’s “task-based user permission” provides control over one of the most risky threats to ICSs: human errors when interacting with the ICS. The enforcement of policies, the monitoring and the reporting eliminate the “blind spots” in the interaction between maintenance engineers and OT networks. The automatic creation of dynamic firewall rules allows utilities to supervise and control network operations with minimal additional effort.

Significant improvements in cyber security that require minimal effort. This is how ICS cyber-defense should be done.